Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Token Exchange uses wrong tokenType for /userinfo request #3335

Closed
3 tasks done
0x0dr1y opened this issue Feb 7, 2024 · 0 comments · Fixed by #3336
Closed
3 tasks done

Token Exchange uses wrong tokenType for /userinfo request #3335

0x0dr1y opened this issue Feb 7, 2024 · 0 comments · Fixed by #3336

Comments

@0x0dr1y
Copy link
Contributor

0x0dr1y commented Feb 7, 2024

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.

Version

2.38.0

Storage Type

etcd

Installation Type

Official Helm chart

Expected Behavior

When performing a tokenExchange, Dex will reuse the tokenType set in subject_token_type for requesting the userInfo from the upstream IdP (https://github.com/dexidp/dex/blob/master/connector/oidc/oidc.go#L436).

This will lead to errors as neither urn:ietf:params:oauth:token-type:access_token nor urn:ietf:params:oauth:token-type:id_token are valid token types for the oidc /userinfo endpoint as per RFC6750.

Actual Behavior

Dex follows the oidc spec and uses Bearer as token type for /userinfo requests.

https://openid.net/specs/openid-connect-core-1_0.html#UserInfo (5.3.1)

The Access Token obtained from an OpenID Connect Authentication Request MUST be sent as a Bearer Token, per Section 2 of OAuth 2.0 Bearer Token Usage [RFC6750].

Steps To Reproduce

No response

Additional Information

No response

Configuration

No response

Logs

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant